From 2dfa9266a8ce9f0d08b210302c523e8b8058e0f8 Mon Sep 17 00:00:00 2001
From: Frederick Witty <frederickw@mindpointgroup.com>
Date: Mon, 8 Sep 2025 11:54:57 -0400
Subject: [PATCH] Update cryto policy var to standard

Signed-off-by: Frederick Witty <frederickw@mindpointgroup.com>
---
 defaults/main.yml             |  6 +++---
 tasks/prelim.yml              |  2 +-
 tasks/section_1/cis_1.6.x.yml | 12 ++++++------
 tasks/section_5/cis_5.1.x.yml |  6 +++---
 4 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index b829873..c46ece3 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -586,7 +586,9 @@ rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword'  # pr
 # This variable governs whether a bootloader password should be set in '/boot/grub2/user.cfg' file.
 rhel9cis_set_boot_pass: true
 
-## Controls 1.6.x
+## Controls 1.6.x and Controls 5.1.x
+# This variable governs if current Ansible role should manage system-wide crypto policy.
+rhel9cis_crypto_policy_ansiblemanaged: true
 # This variable contains the value to be set as the system-wide crypto policy. Current rule enforces NOT USING
 # 'LEGACY' value(as it is less secure, it just ensures compatibility with legacy systems), therefore
 # possible values for this variable are, as explained by RedHat docs:
@@ -594,8 +596,6 @@ rhel9cis_set_boot_pass: true
 #  -'FUTURE': conservative security level that is believed to withstand any near-term future attacks
 #  -'FIPS': A level that conforms to the FIPS140-2 requirements
 rhel9cis_crypto_policy: 'DEFAULT'
-## Controls 1.6.x and Controls 5.1.x
-rhel9cis_crypto_policy_ansible_managed: true
 # This variable contains the value of the crypto policy module(combinations of policies and
 # sub-policies) to be allowed as default setting. Allowed options are defined in 'vars/main.yml' file,
 # using 'rhel9cis_allowed_crypto_policies_modules' variable, which currently are:
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index 1368993..7321267 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -136,7 +136,7 @@
   register: prelim_systemd_coredump
 
 - name: "PRELIM | PATCH | Setup crypto-policy"
-  when: rhel9cis_crypto_policy_ansible_managed
+  when: rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml
index 6f3d6af..8aace04 100644
--- a/tasks/section_1/cis_1.6.x.yml
+++ b/tasks/section_1/cis_1.6.x.yml
@@ -3,7 +3,7 @@
 - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy"
   when:
     - rhel9cis_rule_1_6_1
-    - rhel9cis_crypto_policy_ansible_managed
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -41,7 +41,7 @@
   when:
     - rhel9cis_rule_1_6_3
     - "'NO-SHA1' not in rhel9cis_crypto_policy_module"
-    - rhel9cis_crypto_policy_ansible_managed
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -72,7 +72,7 @@
   when:
     - rhel9cis_rule_1_6_4
     - "'NO-WEAKMAC' not in rhel9cis_crypto_policy_module"
-    - rhel9cis_crypto_policy_ansible_managed
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -103,7 +103,7 @@
   when:
     - rhel9cis_rule_1_6_5
     - "'NO-SSHCBC' not in rhel9cis_crypto_policy_module"
-    - rhel9cis_crypto_policy_ansible_managed
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -134,7 +134,7 @@
   when:
     - rhel9cis_rule_1_6_6
     - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
-    - rhel9cis_crypto_policy_ansible_managed
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -165,7 +165,7 @@
   when:
     - rhel9cis_rule_1_6_7
     - "'NO-SSHETM' not in rhel9cis_crypto_policy_module"
-    - rhel9cis_crypto_policy_ansible_managed
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml
index ee384d3..42ca036 100644
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@@ -80,7 +80,7 @@
   when:
     - rhel9cis_rule_5_1_4
     - "'NO-SSHWEAKCIPHERS' not in rhel9cis_crypto_policy_module"
-    - rhel9cis_crypto_policy_ansible_managed
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -109,7 +109,7 @@
   when:
     - rhel9cis_rule_5_1_5
     - "'NO-SHA1' not in rhel9cis_crypto_policy_module"
-    - rhel9cis_crypto_policy_ansible_managed
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation
@@ -138,7 +138,7 @@
   when:
     - rhel9cis_rule_5_1_6
     - "'NO-SSHWEAKMACS' not in rhel9cis_crypto_policy_module"
-    - rhel9cis_crypto_policy_ansible_managed
+    - rhel9cis_crypto_policy_ansiblemanaged
   tags:
     - level1-server
     - level1-workstation